Skip to content

Google Cloud (GCP) Client Authorization Configuration

The Script Market supports collecting cloud resources/cloud monitoring Metrics from GCP service accounts and reporting them to Guance/TrueWatch. Users can complete authorization by configuring service accounts.

One, Preliminary Work

Ensure that the following APIs are enabled for each project to be monitored:

Two, Create a Service Account

To collect GCP resources via Dataflux Func Script Market, you need to create a GCP service account in advance on the GCP platform.

Open your Google Cloud Console and navigate to IAM & Admin / Service accounts.

Click Create service account, enter Service account name, click Create and continue.

Grant access permissions to the service account for the project:

  • Monitoring Viewer
  • Compute Viewer
  • Cloud Asset Viewer
  • Browser

create-service-account

Click Done, at this point, the service account you created will have all the permissions required to collect resources under the current project. If you want to use this service account to collect resources from all projects within an organization, you can select the organization and grant access permissions to the service account in IAM & Admin / IAM (permissions as above).

Three, Create a Service Account Key (Optional)

If your service account allows key creation (disable organizational policy restriction: iam.disableServiceAccountKeyCreation):

  1. Click on the service account you just created.
  2. Select the Keys tab, click Add Key - Create new key, choose key type as JSON, export the key for backup.

If your service account does not allow key creation, refer to the next item Service Account Impersonation.

Four, Service Account Impersonation (Optional)

Service Account Impersonation, which allows external GCP service accounts to impersonate the functions of service accounts created on your GCP platform. Here we define two service accounts:

  • Sovereign Service Account: The service account created above (this service account has actual permissions but cannot create keys).
  • External Service Account: A service account from another GCP organization (can create keys).

Authorize the external service account:

  1. Click on the service account (sovereign service account) created above.
  2. Select menu Principals with access and click Grant access:
  3. Add principals Enter the email address of the external service account,
  4. Assign roles Choose Service Account Token Creator

service-account-auth

At this point, the external delegated account can simulate the permissions of the service account of the resource collection platform, and perform the collection work.

Next, create a key for the externally delegated service account for backup.

Five, Script Market Collector Configuration

In the previous steps, we created the private key for the service account, now we can log in to the Dataflux Func platform to complete the configuration of the collector.

Upload Key to Dataflux Func File Management

  1. Enable file management module: On the «Manage» page, click «Experimental Features» «Enable File Management», refresh the page, file management will appear under «Experimental Features»

file-manage-enable

  1. Click «File Management» to upload the private key file

private-to-file-manage

Copy out the full name of the private key file (including .json). You can also place it in other directories, in which case you need to copy the path, e.g., /a/b/key_file.json

Install/Deploy Collector

Install Collector

Search for the required GCP services in the official script market and click install.

Deploy Collector

A configuration input box will pop up.

service-account-input

Input box introduction:

  • GCP Service Account File Name: The file address of the service account key configuration file (the key address in file storage).
  • GCP Service Account Email: The email of the service account.
  • GCP Service Account Private Key: The private key of the service account.
  • Target Principal: When using service account impersonation, specify the email of the account to be simulated.
  • Your Account Name: Define a name for the service account.

Please fill in the input box according to how the key file is stored.

GCP Service Account File Name, GCP Service Account Email, GCP Service Account Private Key

  1. When using «File Storage» to store the key file (recommended):

  2. GCP Service Account File Name: Input the key file address in file management.

  3. GCP Service Account Email: Ignore.

  4. GCP Service Account Private Key: Ignore.

  5. If not using file storage, you can directly copy out private_key and client_email from the private key file:

  6. GCP Service Account Email: Input the value of client_email.

  7. GCP Service Account Private Key: Input the value of private_key.

  8. GCP Service Account File Name: Ignore.

  9. In the Dataflux Func platform, configure the environment variable GOOGLE_SERVICE_ACCOUNT_INFO, copy the key file data into it (save as JSON type).

  10. GCP Service Account File Name: Ignore.

  11. GCP Service Account Email: Ignore.
  12. GCP Service Account Private Key: Ignore.

Environment variables can only store one service account key, and it takes effect globally.

private-to-env

Please fill in the input box based on whether the service account is a delegated service account or not.

Target Principal: Specify the email of the account to be simulated, if not needed, ignore.

Common Issues:

  1. Collector error: name 'service_account' is not defined, your Dataflux Func does not have google-auth==2.38.0 installed (Dataflux Func GSE new versions come with default configurations). You can manually install it by copying it into the PIP tool, or upgrade the Dataflux Func service.

Appendix: